Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5578

EC2 Instance Metadata Service (IMDS) version configurability

XMLWordPrintable

    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      EC2 Instance Metadata Service (IMDS) version configurability on HCP node pools

      2. What is the nature and description of the request?

      HCP creates EC2 instances as part of nodepools. The EC2 instances created by default allow AWS EC2 IMDS v1 and v2. There is no ability to enforce EC2 instances to use only IMDSv2 which requires applications running on OpenShift use short-lived tokens. 

      3. Why does the customer need this? (List the business requirements here)

      IMDSv2 is more secure than IMDSv1 because of requirement to use short lived tokens when accessing IMDS endpoint from the instance or an application pod running on the instance. 

      Customers could override directly in the EC2 but will that work when new nodes are created through autoscaling or auto-healing. 

      Enterprise environments have IAM or SCP policy that requires instances be created only with IMDSv2. In such environments, it is not possible to create HCP clusters. 

      Stand-alone OCP has this and HCP is OCP. 

      4. List any affected packages or components.

      HyperShift, OVN

              azaalouk Adel Zaalouk
              rh-ee-bchandra Balachandran Chandrasekaran
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: